Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.

+

1st part is about OWASP.

+

2nd part is an update about the main OWASP Projects and Reboot.

+

3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"

+

I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!

Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape.

+

This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.

+

Access Control is a necessary security control at almost every layer within a web application.

+

This talk will also detail several of the key access control anti-patterns commonly found during website security audits.

+

These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

+

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

+

'''Speaker''' : Jim Manico

+

Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997.

+

He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.

**The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.

We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].

+

+

The ENISA is the European Network and Information Security Agency.

+

[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities.

+

This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.

'''Authentication Best Practices for Developers:''' This module will discuss the security mechanisms found within an authentication (AuthN) layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will include several technical demonstrations and code review labs.

+

+

'''Access Control Design Best Practices:''' Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

We are pleased to announce that OWASP France is part of the [http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011 ENISA’s Who-is-Who Directory].

+

== 26 Avril 2011 ==

−

+

−

The ENISA is the European Network and Information Security Agency.

+

−

[http://www.enisa.europa.eu/publications/studies/who-is-who-directory-2011/at_download/fullReport The ENISA Who-is-Who Directory on Network and Information Security 2011] contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities.

+

−

This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.

+

−

+

−

+

−

== Top Ten 2010 Translation ==

+

−

+

−

The '''OWASP TOP Ten 2010 in French''' is [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf available]

Revision as of 09:23, 26 March 2014

OWASP France

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Here is a presentation I gave in Sept for a big Software maker in an internal meeting. This presentation aims to be re-used at your convenience depending the needs / your context. Designed into 3 parts, this presentation is / could be useful for local Chapters, any Security Awareness purposes, or people and firms interested about OWASP and willing to join the Foundation as Member. The first 2 parts are more an update for those who are not yet familiar with OWASP, the 3rd part being more specific because about a hot topic that is gaining importance in the context of Application Security.
1st part is about OWASP.
2nd part is an update about the main OWASP Projects and Reboot.
3rd part is about Legal, the evolution of the legal framework, with a focus on the question "Developers, Software makers held liable for code?"
I hope this helps anyway. Enjoy and feel free to email me, all comments welcome!

Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape.
This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.
Access Control is a necessary security control at almost every layer within a web application.
This talk will also detail several of the key access control anti-patterns commonly found during website security audits.
These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.
In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

Speaker : Jim Manico

Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997.
He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.

The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.

The ENISA is the European Network and Information Security Agency.
The ENISA Who-is-Who Directory on Network and Information Security 2011 contains information on NIS stakeholders, such as national and European authorities and NIS organisations, contact details, websites, and areas of responsibilities or activities.
This Directory serves as the "yellow pages" of Network and Information Security (NIS) in Europe. As such, it is a useful tool for those working closely with NIS issues in Europe.

Les sujets abordés par Jim Manico:
Authentication Best Practices for Developers: This module will discuss the security mechanisms found within an authentication (AuthN) layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will include several technical demonstrations and code review labs.

Access Control Design Best Practices: Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

We are honored to welcome Jim Manico during his European Tour in the Netherlands, Belgium and France.

Overview

Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.

This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.

If you are interested in participating in the hands on portion of the course, please bring a laptop.

This talk will discuss the past methods used for XSS defense that were only partially effective. Learning from these lessons, will will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.

Speaker

Jim Manico is a managing partner of Infrared Security with over 15 years of professional web development experience. Jim is also the Chair of the OWASP Connections Committee, one of the Project Managers of the OWASP ESAPI Project, a participant and manager of the OWASP Cheatsheet series, the Producer and host of the OWASP Podcast Series, the Manager of the OWASP Java HTML Sanitizer project and the manager of the OWASP Java Encoder project. When not OWASP'ing, Jim lives on of island of Kauai with his lovely wife Tracey.